We are in payment space and we have built out a lot of our processes in Docker for development environment purposes. Now, we are thinking about converting our production environment which is in Xen (HVM) farm into Docker/LXC environment to keep both environments in sync. Does anyone know how Docker affect PCI Compliance? I've scoured the web but could not really find any answer. It seems the QSA's are also pretty much stumped on this subject as it is so new. Anyone have any input on this matter?
Asked
Active
Viewed 330 times
2
-
PCI compliance is less about tech and more about documenting your security controls and showing proof that you are following your docs / processes / etc. If it helps, Docker/LXC are far from new concepts. Solaris zones, IBM LPARS, same concepts, really.. So document your security controls and show how you protect the flow of card holder data. Sorry, I know that is a very generic comment. They are probably also looking for "best security practice" and "hardening standards" which are evolving monthly around Docker. I would also request this from Docker specifically. – Aaron Aug 05 '16 at 22:21